Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan
Obfuscation [BGIRSVY 01,GGHRSW 13] Compiler: scrambles program, hiding implementation Industry accepted security notion: indist. Obfuscation P 1 (x) = P 2 (x) (x) io(p 1 ) c io(p 2 ) Crypto complete : io Most Crypto [GGHRSW 13,SW 13, BZ 13, BST 13, GGHR 13, BP 14, HJKSWZ 14, CLTV 14, ]
Multilinear Maps (a.k.a. graded encodings) [BS 03,GGH 13,CLT 13,GGH 15] Main tool for all constructions of obfuscation secret a F, i [k] Levels 1,,k, Field/Ring F Enc [a] i [a] i + [b] i [a+b] i public [a] i [b] j [ab] i+j [a] k IsZero Yes/No
Multilinear Maps (a.k.a. graded encodings) [BS 03,GGH 13,CLT 13,GGH 15] k levels: compute arbitrary degree k polynomials Asymmetric mmaps: additional restrictions E.g. multilinear polynomials
Obfuscation From Multilinear Maps Obfuscate(P): Enc Eval(x): x [p x ] k IsZero P(x) = 1 p x = 0
Applications of Multilinear Maps ABE PKFE SKFE io NIKE WE BE
Zeroizing Attacks on MMaps io NIKE PKFE ABE BE WE SKFE
Zeroizing Attacks on MMaps (Note: apps still possible using obfuscation)
Central Questions Q1: Is obfuscation secure? Q2: If so, how to show it?
This Work: Focus on GGH 13 Mmaps
Background
High- level description GGH13 Level i encoding of x: short x + g s z i (mod q)
High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) x 1 +gs 1 x 2 +gs 2 + = (x 1+x 2 )+g(s 1 +s 2 ) z i z i z i
High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) Multiplication makes levels add x 1 +gs 1 x 2 +gs 2. = (x 1x 2 )+g(s 1 x 2 +s 2 x 1 +gs 1 s 2 ) z i z j z i+j
High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) Multiplication makes levels add Test for zero at top level k Public parameter p zt = h zk g not too big p zt gs z k = hs not too big p zt x+gs z k = hx big g +hs
High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) Multiplication makes levels add Test for zero at top level k Notes: z must be secret (else can go down levels) g must be secret ([GGH 13] show attack otherwise)
Encodings of Zero A Necessary Evil Required for (Most) Applications Re- randomization Needed for most (direct) applications Needed to use any simple assumption on mmaps Add random subset of low- level zeros Successful zero test top level zero
Encodings of Zero A Necessary Evil Required for (Most) Applications Two low- level zeros: e 1 = g s 1 /z i, e 2 = g s 2 /z k-i Multiple of g p zt e 1 e 2 mod q = hgs 1 s 2 (over Z) Dangerous For Security
Encodings of Zero A Necessary Evil Required for (Most) Applications Zeroizing attacks: GGH 13: Source group assumptions (e.g. DLin, Subgroup decision) are false CGHLMMRST 15: Immunizations don t work HJ 16: MDDH is false, multiparty NIKE broken Probably other assumptions broken too (MDHE, etc) Dangerous For Security
Encodings of Zero A Necessary Evil Required for (Most) Applications Dangerous For Security
What about Obf/WE/SKFE? Good News: No re- randomization needed in application no low- level zeros (explicit or implicit) Bad News: Top level zeros may still be generated during use Re- rand still needed for simple assumptions
Central Questions (Restated) Q1: Can top- level zeros be used to attack io? Q2: How to argue security against zeroizing attacks?
Q1: Affirmative! Thm* [MSZ 16]: The branching program obfuscators in [BGKPS 14, PST 14, AGIS 14, BMSZ 16] over GGH 13 do not satisfy io *Small heuristic component
(Single input) Branching Programs A 1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 6,0 A 7,0 A 8,0 A 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A 7,1 8,1 2 4 2 1 3 4 2 5 x = 11001: IMP x ( {A i,b } ) = A 1,1 A 2,0 A 3,1 A 4,1 A 5,0 A 6,0 A A 7,1 8,1 If IMP x = 0, output 1, otherwise output 0
[BMSZ 16] Obfuscator Building on [GGHRSW 13,BR 14,BGKPS 14,AGIS 14, ] α 1,0 R 2 R 2-1 A 1,0 α 2,0 A 2,0 R 3 α 3,0 R 3-1 A 3,0 R 4 α t,0 R t -1 A t,0 α 1,1 A 1,1 R α 2 2,1 R -1 2 A 2,1 R α 3 3,1 R -1 3 A 3,1 R α 4 t,1 R -1 t A t,1 asymmetric mmap
[BMSZ 16] Over GGH 13 Randomized Branching Program Encoding randomness B i,b = α i,b R -1 i A i,b R i+1 S i,b Evaluation: Obfuscation encodings B i,b + z i,b g S i,b C i,b = mod q IMP x ( ) T p x = zt C i,b test if not too big mod q
Attack: Annihilating Polynomials T x = p zt h g IMP x ( C i,b ) mod q B i,b S i,b = IMP x ( + g ) mod q h g B i,b = IMP x ( ) + D x ( α i,b, S i,b, R i ) + g E x ( α i,b, S i,b, R i ) mod q
Attack: Annihilating Polynomials Suppose P(x) = 1 IMP x ( B i,b ) = 0 T x h = IMP x ( B i,b ) + D x ( α i,b g, S i,b, R i ) + g E x (,, ) α i,b S i,b R i mod q not too big, so holds over Z
Attack: Annihilating Polynomials Suppose P(x) = 1 T x = D x ( α i,b, S i,b, R i ) + E x ( α i,b, S i,b, R i ) g Efficiency: Poly- many free vars Exp- many inputs: Pick larger poly set of D x Algebraic dependence: poly Q: Q(D x1, D x2, ) = 0
Attack: Annihilating Polynomials Algebraic dependence: poly Q: Q(D x1, D x2, ) = 0 Annihilating polynomial Q(T x1, T x2, ) = Q(D x1 +ge x1, D x2 +ge x2, ) = Q(D x1, D x2, ) + gq + g 2 Q + = gq + g 2 Q + Multiple of g
Attack: Annihilating Polynomials Goal: find Q that annihilates P 1, but not P 2 Distinguishing Attack* Extends to any purely algebraic obfuscator Problem: in general, annihilation is hard Thm ([Kay 09]): Unless PH collapses, there are dependent polys for which an annihilating polynomial requires super- polynomial sized circuits Question: Can annihilating polys be found for particular obfuscators/programs? * Additional work needed to test for multiple of g
Attack: Annihilating Polynomials Consider single- input setting (used to prove io) Suppose trivial branching program: A i,0 =A i,1 =A i Explicit annihilating polynomial for [BMSZ 16]: q = (D 000 D 111 ) 2 + (D 001 D 110 ) 2 + (D 010 D 101 ) 2 + (D 100 D 011 ) 2-2D 000 D 111 D 001 D 110 2D 000 D 111 D 010 D 101 2D 000 D 111 D 100 D 011-2D 001 D 110 D 010 D 101 2D 001 D 110 D 100 D 011 2D 010 D 101 D 100 D 011 + 4D 000 D 011 D 101 D 111 + 4D 111 D 001 D 010 D 100 Computed by reducing problem to finite size, then brute- force search
Attack: Annihilating Polynomials For dual input: First, reduce problem to finite size Brute- force annihilating poly in constant time Haven t found it yet, but still gives poly- time attack Other obfuscators: [BR 14,BGKPS 14, PST 14, AGIS 14]: similar analysis Also attack ORE (SKFE) [BLRSZZ 15] over GGH 13
Now What? Goal: Argue security of other schemes Problem: Cannot use simple assumptions Solution: Argue security in abstract attack models
Restricted Black Box Fields F = Field, P = class of polynomials on n variables p P IsZero( p(a 1, a 2,, a n ) ) a 1, a 2,, a n F Generic Groups*: P = { Linear functions } Black Box Fields*: P = { Polys with small algebraic circuits} Symmetrix multilinear maps*: P = { Degree k polynomials} Asymmetric multilinear maps*: P = { More complicated restrictions} * Often need greater functionality requirements for protocols. This model suffices for our discussion
Obfuscation in Restricted BBFs ( model used by [BR 14,BGKPS 14,AGIS 14,Z 15,AB 15,BMSZ 16] ) Obfuscate(C): p x P BBF with restricted polynomial class P Eval(x): IsZero( p(a 1, a 2,, a n ) ) a 1, a 2,, a n ß D C If IsZero gives True, output 1 If IsZero gives False, output 0 Our Attack: Model is false for GGH 13
A Conservative Model [BMSZ 16] BBF with restricted polynomial class P p P a 1, a 2,, a n ß D C If IsZero( p(a 1, a 2,, a n ) ), ADVERSARY WINS
Obfuscation for evasive functions [BMSZ 16] Honest executions always give non- zero Thm([BMSZ 16]): Only way for level respecting adversary to get zero is through honest program executions Impossible to find zeros anywhere for evasive funcs Compare to prior abstract model theorems: Thm([BR 14, BGKPS 14, ]): For level respecting adversary, can guess output of IsZero just by knowing P(x) Doesn t say if/when finding a zero is possible
A Conservative Model [BMSZ 16] BBF with restricted polynomial class P p P a 1, a 2,, a n ß D C If IsZero( p(a 1, a 2,, a n ) ), ADVERSARY WINS Model useless in non- evasive settings, e.g. io, SKFE Need model that allows for zeros to occur
Characterizing Attacks All Known Classical Attacks Compute polynomials obeying level restrictions Several top level zero encodings Attack
Characterizing Attacks All Known Classical Attacks Compute polynomials obeying level restrictions Several top level zero encodings Polynomial in the zeros Multiple of g Attack
Refined Abstract Model for Mmap attacks p P a 1, a 2,, a n F s 1, s 2,, s n ß $ F indeterminant Write p(a 1 +gs 1,, a n +gs n ) = c + dg + If c 0, output False If c = 0, output True, d * Also need to assume degree << F Efficient polys* q Q Unrestricted BBF d 1 d 2 d 3 If q(d 1, d 2, ) = 0, adversary wins
Refined Abstract Model for Mmap attacks Seems to capture intuition behind attacks Proof in refined model Heuristic evidence of security against current attacks But keep in mind that: Attack in refined model Not trivially Attack on actual protocol
Blocking Attacks [GMMSSZ 16] Notably absent from attacked schemes: [GGHRSW 13] A i,b : A i,b D i,b Random diagonal converts even trivial branching programs into non- trivial ones size > multilinearity
Blocking Attacks [GMMSSZ 16] Our fix: append random block matrix A i,b : A i,b E i,b Potentially as small as 2 2
Blocking Attacks [GMMSSZ 16] Let BP E be branching program defined by E matrices Let E x be evaluation of BP E on input x Thm: If polynomial Q annihilates {D x }*, then it annihilates {E x } as well Let BP F be any BP, F x evaluation of BP F Thm: If polynomial Q annihilates {E x }*, then it annihilates {F x } as well * = with noticeable probability
Example Proof Sketch Thm: If polynomial Q annihilates {E x }*, then it annihilates {F x } as well Let E i,b = F i,b + r E i,b random E x = F x + r F x + r 2 F x + Q( {E x } ) = Q( {F x } ) + r Q + r 2 Q + By Schwartz- Zippel, if Pr[Q = 0] = non-negl, Then Q must be identically 0 Q( {F x } ) = 0
Branching Program Unannihilateability Assumption: For any efficient polynomial Q*, there is a branching program not annihilated by Q Easy fact: PRFs in NC 1 give unannihilateable branching programs Corollary: Assuming BPUA (or NC 1 PRFs), our obfuscator is secure in the weak mmap model for [GGH 13] * of not too high degree
Future Directions Substantiate BPUA (P NP, general OWF, etc) Attack GGH 13 without annihilating polys Extend to obfuscation for circuits Mostly solved: [DGGMM 16] assuming NC 1 PRFs Extend attacks to CLT 13, GGH 15 Partial progress: [CLLT 16] for single- input io over CLT 13 Useful abstract attack model for CLT 13, GGH 15 Thanks!